This is an old revision of the document!
FreeIPA Audit User Migration
General Information
Audit which user accounts remain to migrate passwords and get kerberos hashed keys in the IPA domain.
Checklist
- FreeIPA servers already installed/configured.
- Client systems migrated
- Now just monitoring user accounts getting their kerberos hashed password keys in the new FreeIPA realm.
The Script
Run on an IPA server to determine which accounts still need kerberos keys.
- audit-migration-users.sh
#!/bin/bash # Name: audit-migration-users.sh # Description: Audit which user accounts remain to migrate # passwords and get kerberos keys # Last Updated: 2016-11-25 # Recent Changes:-initial release ################################################################ echo -e "This script will determine which users are left to enter their password for a kerberos key." echo -e "\n>>Continue?[y/n]:\c" read run_script if [[ ${run_script} != "y" ]]; then echo -e "\n>>Will not run the audit. Exiting..." exit 1 fi # Log file to store hosts left to migrate log_file="/root/migration-scripts/audits/user-migration.log" # Clear log file echo -e "\n>>Clearing log file..." cat /dev/null > ${log_file} # Build a list of enabled accounts #- Find all users | grep logins and disabled status lines | #- If the current line matches "False" (/False/), print the stored username (print USER), #- next, store the current line's field 3 in the variable USER (USER=$3) user_list=$(/usr/bin/ipa user-find --sizelimit=0 --all | grep -E "(User login|Account disabled)" | awk '/False/ { print username }; { username=$3 }') total_users=$(echo ${user_list} | wc -w) for user_name in ${user_list}; do echo -e ">> Checking ${user_name}..." # Check to see if the user has a kerberos key kerberos_key="$(ipa user-show ${user_name} | awk '/Kerberos keys available/ {print $4}')" # If False, add to the list of users that still need to migrate their password if [[ ${kerberos_key} == "False" ]]; then echo -e "--> User does not have kerberos keys, adding to the list: ${user_name}" echo ${user_name} >> ${log_file} fi done left_to_convert="$(cat ${log_file} | wc -l)" echo -e "\n--------------------" echo -e ">> Users enabled left to get kerberos keys: ${left_to_convert}" echo -e ">> Total enabled users: ${total_users}"